module
Aerohive NetConfig 10.0r8a LFI and log poisoning to RCE
| Disclosed |
|---|
| Feb 17, 2020 |
Disclosed
Feb 17, 2020
Description
This module exploits LFI and log poisoning vulnerabilities
(CVE-2020-16152) in Aerohive NetConfig, version 10.0r8a
build-242466 and older in order to achieve unauthenticated remote
code execution as the root user. NetConfig is the Aerohive/Extreme
Networks HiveOS administrative webinterface. Vulnerable versions
allow for LFI because they rely on a version of PHP 5 that is
vulnerable to string truncation attacks. This module leverages this
issue in conjunction with log poisoning to gain RCE as root.
Upon successful exploitation, the Aerohive NetConfig application
may hang for as long as the spawned shell remains open. For the
Linux target, the MeterpreterTryToFork option (enabled by default)
will likely prevent this. If the app hangs, closing the session
should render it responsive again.
The module provides an automatic cleanup option to clean the log.
However, this option is disabled by default because any modifications
to the /tmp/messages log, even via sed, may render the target
(temporarily) unexploitable. This state can last over an hour.
This module has been successfully tested against Aerohive NetConfig
versions 8.2r4 and 10.0r7a.
(CVE-2020-16152) in Aerohive NetConfig, version 10.0r8a
build-242466 and older in order to achieve unauthenticated remote
code execution as the root user. NetConfig is the Aerohive/Extreme
Networks HiveOS administrative webinterface. Vulnerable versions
allow for LFI because they rely on a version of PHP 5 that is
vulnerable to string truncation attacks. This module leverages this
issue in conjunction with log poisoning to gain RCE as root.
Upon successful exploitation, the Aerohive NetConfig application
may hang for as long as the spawned shell remains open. For the
Linux target, the MeterpreterTryToFork option (enabled by default)
will likely prevent this. If the app hangs, closing the session
should render it responsive again.
The module provides an automatic cleanup option to clean the log.
However, this option is disabled by default because any modifications
to the /tmp/messages log, even via sed, may render the target
(temporarily) unexploitable. This state can last over an hour.
This module has been successfully tested against Aerohive NetConfig
versions 8.2r4 and 10.0r7a.
Rapid7 Labs
2026 Global Threat Landscape Report
The predictive window has collapsed. Exploitation follows disclosure in days. See how attackers are accelerating and how to stay ahead.